Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide configuration properties for configuring Tomcat's relaxed path and query chars #17510

Closed

Conversation

@dirkdeyne
Copy link
Contributor

dirkdeyne commented Jul 14, 2019

Make Tomcat's Context attributes relaxedPathChars and relaxedQueryChars configurable in application.properties

Fixes gh-17509

dirkdeyne added 2 commits Jul 14, 2019
Prevent Tomcat rejecting requests that contain unencoded characters.
@wilkinsona wilkinsona changed the title Avoid Tomcat crashes when requests containing certain (unencoded) characters. Provide configuration properties for configuring Tomcat's relaxed path and query chars Jul 14, 2019
@philwebb

This comment has been minimized.

Copy link
Member

philwebb commented Jul 14, 2019

I wonder if we should consider enabling both of these my default? @markt-asf would there be any significant downsides? Did you consider changing the Tomcat defaults ever?

@vpavic

This comment has been minimized.

Copy link
Member

vpavic commented Jul 14, 2019

+1 for exposing these as configuration properties, but I wouldn't like to see Spring Boot configure non spec compliant behavior by default.

@markt-asf

This comment has been minimized.

Copy link

markt-asf commented Jul 14, 2019

Tomcat tightened up parsing to address security issues (request injection and such). There are some characters that are probably safe but my strong preference is that Tomcat is spec compliant by default.

@dirkdeyne

This comment has been minimized.

Copy link
Contributor Author

dirkdeyne commented Jul 14, 2019

only " < > [ \ ] ^ ` { | } characters are allowed by tomcat, others are ignored

ref doc

The HTTP/1.1 specification requires that certain characters are %nn encoded when used in URI query strings. Unfortunately, many user agents including all the major browsers are not compliant with this specification and use these characters in unencoded form. To prevent Tomcat rejecting such requests, this attribute may be used to specify the additional characters to allow. If not specified, no additional characters will be allowed. The value may be any combination of the following characters: " < > [ \ ] ^ ` { | } . Any other characters present in the value will be ignored.

@philwebb

This comment has been minimized.

Copy link
Member

philwebb commented Jul 17, 2019

Thanks for the input everyone. We're going to add the properties but keep the defaults as they are.

@snicoll

This comment has been minimized.

Copy link
Member

snicoll commented Jul 18, 2019

@dirkdeyne thank you for making your first contribution to Spring Boot. I've polished your proposal by using a list of characters rather than the raw string that Tomcat uses. This is also a chance for us to provide dedicated metadata for valid values,

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.